The Secure-Email Project I did this week, was a very interesting one for me, as I was not aware of the fact that sending secured e-mails would be so easy!
I found an interesting article, which was published on March 26, 2010 on www.infolawgroup.com. It deals with the current lawsuits against "Dave & Buster's", which is a restaurant chain, concerning the theft of important customer data, which resulted in large financial damage for consumers. The article describes the data security breach that dates back to the time span from April 30 to August 28, 2007, where hackers exploited vulnerabilities in the restaurant chain's system, installed unauthorized software on its system, and got access to about 130,000 credit and debit card information. Dave & Buster's collected several highly important and sensitive information from its customers, amongst which were "credit card account number, expiration date, and an electronic security code for payment card authorization". This data has been collected and stored on the in-store servers of the restaurants and was then send to a third-party credit card processing company. Hence, a lot of communication and shifting of customer information happened there. As came out later, these communications of data and information was not secured at all:
No limitation of IP addresses that can have access to the restaurants' servers, no network security at all, no authorization identification was requested for seeing and sending sensible information, no firewalls or separation of the payment card system from the rest of the company's network, and so on.
Dave & Buster's even failed to apply readily available security means, like requiring a user password before being able to get access to a wireless network, which the majority of home users today applies. Consequently, it was almost an invitation for the hackers to access Dave & Buster's system and steal customer information from its servers. Currently, the FTC required Dave and Buster's to "establish and maintain a comprehensive information security program and obtain independent audits by a qualified person", for example, a CISSP, which is a Certified Information System Security Professional. Hence, amongst other things, the restaurant chain is required to: designate an employee to oversee and coordinate the information system security; conduct risk assessments and identify possible threats to data security; apply certain means to guarantee the security of customer data; guarantee the security of customer data also in the communication and collaboration with a third-party service provider; regularly test and measure the effectiveness and update the security system.
As this article shows, data security is a highly important and sensitive topic in today's world. However, when a company even fails at the very basic data security level, like controlling the access to its wireless network, by requesting a password or the like, it is very doubtful that this company can get a step further and implement secure communication methods, like secure e-mail or the like. Consequently, preventing unauthorized access to your network and then securing the ways you communicate highly sensitive information of customers, should be a basic for conducting business in today's world.
Posts
No comments:
Post a Comment